Visa Drops Global Payments in Wake of Credit Card Data Breach

Visa says Global Payments is no longer on the list of compliant service providers following a breach that may have compromised up to 1.5 million Visa and MasterCard accounts.

Visa has dropped Global Payments from its list of companies that are deemed compliant with security policies following a data breach that may have compromised as many as 1.5 million Visa and MasterCard accounts.

Visa's decision to drop Global Payments from its registry of service providers that meet the credit card company's data security standards came April 1, two days after the breach became public. During a conference call April 2 to discuss the situation, Global Payments CEO Paul Garcia talked about Visa's move, and reportedly said he expects his company to be returned to the list after it comes back into compliance with the Visa policies. However, Garcia didn't say when that may be.

Officials with Visa and MasterCard announced last week that data from credit card accounts was stolen following a data breach at a third-party processor, and stressed that their own servers had not been compromised. The credit card companies initially did not say which transaction processing company was attacked, but it soon leaked out that it was Global Payments.

In a statement released April 1, Global Payments executives said that the data breach affected fewer than 1.5 million accounts, and that the impact was contained to North America. The statement said the information stolen was Track 2 card data, which comprises information accessed by ATMs and credit card checkers, such as the cardholders account and encrypted PIN.

However, what data was possibly stolen was one of a number of discrepancies between what Visa and MasterCard reported, and what Global Payments said, according to Gartner analyst Avivah Litan. In a blog post April 2, she noted that the credit card companies said that Track 1 data including cardholder names and account numbers as well as Track 2 information were accessed. Global Payments officials said in the statement that cardholder names, addresses and Social Security numbers were not obtained by the criminals.

In addition, Visa had said the data breach occurred between Jan. 21 and Feb. 25, while Global Payments officials said they detected and reported the breach in early March. Global payments also had not heard about any reports about fraud occurring on the stolen cards, Litan said.

"Sounds like there's a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about," she wrote.